---
layout: docs
page_title: Service Mesh Debugging
description: >-
  Use the `consul connect proxy` command to connect to services or masquerade as other services for development and debugging purposes. Example code demonstrates connecting to services that are part of the service mesh as listeners only.
---

# Service Mesh Debugging

It is often necessary to connect to a service for development or debugging.
If a service only exposes a service mesh listener, then we need a way to establish
a mutual TLS connection to the service. The
[`consul connect proxy` command](/consul/commands/connect/proxy) can be used
for this task on any machine with access to a Consul agent (local or remote).

Restricting access to services only via service mesh ensures that the only way to
connect to a service is through valid authorization of the
[intentions](/consul/docs/connect/intentions). This can extend to developers
and operators, too.

## Connecting to Mesh-only Services

As an example, let's assume that we have a PostgreSQL database running that
we want to connect to via `psql`, but the only non-loopback listener is
via Connect. Let's also assume that we have an ACL token to identify as
`operator-mitchellh`. We can start a local proxy:

```shell-session
$ consul connect proxy \
  -service operator-mitchellh \
  -upstream postgresql:8181
```

This works because the source `-service` does not need to be registered
in the local Consul catalog. However, to retrieve a valid identifying
certificate, the ACL token must have `service:write` permissions. This
can be used as a sort of "debug service" to represent people, too. In
the example above, the proxy is identifying as `operator-mitchellh`.

With the proxy running, we can now use `psql` like normal:

```shell-session
$ psql --host=127.0.0.1 --port=8181 --username=mitchellh mydb
>
```

This `psql` session is now happening through our local proxy via an
authorized mutual TLS connection to the PostgreSQL service in our Consul
catalog.

### Masquerading as a Service

You can also easily masquerade as any source service by setting the
`-service` value to any service. Note that the proper ACL permissions are
required to perform this task.

For example, if you have an ACL token that allows `service:write` for
`web` and you want to connect to the `postgresql` service as "web", you
can start a proxy like so:

```shell-session
$ consul connect proxy \
  -service web \
  -upstream postgresql:8181
```
